When you create in image using the HardCopyII unit and it creates the Md5 hash along with the image file(s), if you load that DD(bin) file into your software of choice for review (i use Encase mostly), how can you verify the image to match the MD5 has generated by the HardCopyII to match that in Encase? Or is this even possible? Do I have to re-acquire the image in Encase to find out?
Thanks.
If you were comparing hash values of an image you would want to compare the values of two capture units/utilities, say HardCopyII to a Logicube Talon or to DD. In EnCase you could find a file and compare the hash value of that file to the value of the same file found in say FTK. Typically you would also verify that the hash value of the image that you load into EnCase matches the value of what your imaging device says, but that is not really the same as verifying that your imaging utility is working correctly by comparing it to another imaging utility.
We use the HCII devices, and to my knowledge, they create one big dd-style image file.
The answer is easy…grab md5deep and fire it off against the image file *before* loading it into your software-of-choice.
Greetings,
If you acquire an image with one tool - HCII for example - and then reacquire the image with another tool - FTK Imager via a write blocker - you may not get hash values that match if there are bad sectors on the disk. Different tools handle bad sectors in different manners.
Just something to keep in mind….
-David
Does HCII give you a hash for the drive and the image on completion? (sorry, never actually used one)
If so, just load it into FTK imager or encase or whatever and varify and the total drive hash should be the same as the original aquistion hash regardless of the image type.
Re-imaging will just open up new problems if the drive has bad sectors as kovar mentioned, not to mention the time overheads imaging a drive you've already imaged once.
If the image hash matches the original drive hash (that hopefully HCII provides and you wrote down in your notes), then thats all you need.
Does HCII give you a hash for the drive and the image on completion? (sorry, never actually used one)
If so, just load it into FTK imager or encase or whatever and varify and the total drive hash should be the same as the original aquistion hash regardless of the image type.
Re-imaging will just open up new problems if the drive has bad sectors as kovar mentioned, not to mention the time overheads imaging a drive you've already imaged once.
If the image hash matches the original drive hash (that hopefully HCII provides and you wrote down in your notes), then thats all you need.
Yes it gives you the hash once completed and also creates a text file that has the hash value and information about the drive that was imaged. Any tool that can hash the image will work and should give you a matching hash value as long as the image hasn't changed.